Amara

We express our gratitude to the Amara team for the collaborative engagement that enabled the execution of this Smart Contract Security Assessment.

AmaraStaking is a groundbreaking solution contract for the Amara token that offers fixed-APY reward tiers over predefined lock periods and applies a calibrated clawback to neutralize early exits. It uses epoch-aware accounting with a halving threshold to adjust rewards over time, supporting periodic claims and full withdrawals at lock expiry.

The system users should acknowledge all the risks summed up in the risks section of the report

{Finding_Table?columns=title,severity,status&setting.filter.type=Vulnerability}

Documentation quality

• Project overview is clear and well-structured. Core logic is explained with examples and tables.

• Run and deployment instructions are included.

• Technical specification is covered.

• Roles and access control are not explicitly documented.

Code quality

• Development environment and scripts are well set up.

• Code follows solidity best practices.

• NatSpec is sufficient within the codebase.

Test coverage

Code coverage of the project is 52.27% (branch coverage).

• Test cases cover the main functional logic and core flows.

• A gas usage preview is included to provide an overview of method costs during execution.

The AmaraStaking contract is a staking protocol built for the Amara token ecosystem. It enables users to lock their Amara tokens for fixed periods in exchange for rewards calculated at specific APY rates. Rewards are distributed over time and may be claimed periodically, subject to minimum claim intervals.

The system introduces a clawback mechanism designed to penalize early withdrawals. If a user exits before the lock period ends, both accrued rewards and a portion of the staked principal are subject to penalties. This ensures that short-term exits do not provide an advantage over longer-term commitments.

To preserve reward sustainability, the contract implements an epoch-aware halving mechanism. Once a specified reward distribution threshold is reached, APY rates for future rewards are automatically halved. The system splits calculations into pre-halving and post-halving segments to ensure fair allocation for all stakers.

The protocol also supports tier-based staking: each lock period (e.g., 2, 3, 6, 12, or 24 months) defines its own APY level and associated benefits. These tiers can be configured and updated by the contract owner, allowing flexibility in shaping staking incentives.

In addition, the contract provides functionality for:

• Tracking user stakes with unique IDs, including amount, lock period, and claim history.

• Claiming rewards periodically, provided sufficient reserve is available.

• Withdrawing staked tokens with or without penalties, depending on lock expiry.

• Administrative controls such as updating reward halving thresholds, modifying tier configurations, setting emergency withdrawal fees, pausing/unpausing operations, and recovering tokens mistakenly sent to the contract.

Overall, AmaraStaking enforces a structured reward system that balances long-term incentives with mechanisms to protect against abuse, while allowing controlled adaptability through owner-governed parameters.

Privileged roles

The owner of the AmaraStaking contract holds full administrative authority over the protocol. This account is the only role permitted to perform sensitive operations, including:

• Updating staking tier configurations (APY, descriptions, and active status).

• Adjusting the reward halving threshold or manually triggering halving events.

• Setting the emergency withdrawal fee applied to early withdrawals.

• Pausing or unpausing the contract, thereby enabling or disabling all core user operations.

• Recovering any ERC-20 token from the contract.

The scope of the project includes the following smart contracts from the provided repository:

Assets in Scope